I think I'll just keep posting to this thread, and collate all this info at a later date. Nanopico and I have been continuing our email exchange. While he works on the Trampoline and System file stuff, I'm hacking away at the Nanokernel.
After testing out IDA (what a mess) and trying to wrestle with the GNU Binutils, I have settled on rolling my own disassembler and static kinda-analyser. It is called Statin, and it uses Capstone as its disassembly backend and Networkx to maintain a directed graph of control flow. Check it out:
https://github.com/elliotnunn/cdg5/blob/master/statin.pyAt the moment Statin is hardly a general solution to anything, but I think that it has some potential. I am using it to hack on version 02.28 of the Mac OS Nanokernel, which as far as I know was the final release. I can only find it in Mac OS ROM version 10.2.1.
A quick update on what shipped when. Nanokernel v2 (the rewritten version that I am interested in) was released in mid-1999 as part of Mac OS 8.6. Its chief new feature was the ability to encapsulate the cooperative Mac OS environment inside a single preemptively scheduled "blue task". Other preemptive tasks could then be spun off from the blue task using version 2 of the Multiprocessing Services API, and could share the CPU with the blue task. Not bad for a point release.
On OldWorld systems, which already have Nanokernel v1 in ROM, the blue task loads Nanokernel v2 from a System file "kern" resource early in the boot process. The new Nanokernel gets executed and performs some shenanigans to squeeze out the old Nanokernel, then resumes the normal boot process. If this patch process fails, then boot can still continue with the old nanokernel. This is why Sheepshaver (which has only ever worked with Nanokernel v1) can boot 8.6 and 9.0 (and, rumour has it, 9.1). By 9.2, this was definitely no longer possible, and Nanokernel v2 was a hard requirement (but do remember that the only OldWorld machines on which 9.2 officially ran were beige G3s). This is why people talk about Sheepshaver needing to emulate an MMU to run the final releases of 9 -- because Nanokernel v2 absolutely needs hardware VM. In fact, the Sheepshaver devs had to do a considerable amount of hacking just to get v1 to run without an MMU.
On NewWorld systems, things are thankfully a bit simpler. Nanokernel v2 occupies the same place in the ROM-in-RAM image that Nanokernel v1 used to -- up to about 100K at offset 0x310000. Mac OS ROM files versioned 1.4 or earlier shipped with Mac OS 8.5.1 or earlier and contain the old Nanokernel. Files versioned 1.6 or later shipped with Mac OS 8.6 or later and in "Mac OS ROM Update 1.0", and contain the new Nanokernel. But Nanokernel v2 really became useful with the release of the first Power Mac G4s, which were dual-core and AltiVec-equipped, a few months after OS 8.6. Side note: the Mac OS ROM file in these machines, versioned 2.5.1, is a bit of an oddball. It introduced the "parcels-based" format used in subsequent releases and by the Classic environment, and it has quite a large number of extraneous PEFs appended outside its compressed region, making it quite large.
The binary code in a System kern resource is the same as what you would find in a NewWorld ROM image. You can swap them over (I tried it). Anyone want to give Nanokernel 02.28 a go in an OldWorld machine? I'm pretty sure you'd be the first.